How Hackers Can Get Your Passwords Using iOS Mail Pop-Ups

Apple has just fixed the annoying iOS Messages bug with the latest iOS 8.4 beta release. However, another iOS bug has appeared which, if the source is to be believed, Apple is aware of and hasn’t done anything about.

Apple fixes Messages bug – iOS Mail bug arrives:

Last month saw a simple text string crashing iOS Messages apps, sometimes rebooting the device and other times preventing the user from opening the app. Apple has reportedly patched the aforementioned iOS Messages crashing bug with iOS 8.4 Beta 4.

However, it is another bug that is taking some deserved attention today thanks to a security researcher. Jan Soucek has published an iOS Mail bug on GitHub which is more critical than just a device or app crash. This iOS-based bug enables hackers to steal passwords through Mail pop-ups that look like iCloud prompts giving a genuine look to it.

An email message is delivered to the target enabling loading of HTML content which then allows hacker to prompt user asking for their password or any other such sensitive information. Giving the Apple-ish look of the prompt, there’s a high chance of a targeted victim to fall for this malicious trick.

According to Soucek, he reported the iOS Mail bug to Apple in January but the company has remained quiet over the issue.

Advertisement

Back in January 2015 I stumbled upon a bug in iOS’s mail client, resulting in HTML tag in e-mail messages not being ignored. This bug allows remote HTML content to be loaded, replacing the content of the original e-mail message. JavaScript is disabled in this UIWebView, but it is still possible to build a functional password “collector” using simple HTML and CSS.

His latest attempt of publishing the bug Mail.app inject kit on GitHub might gain some awareness pushing Apple to take some action, security specialist hopes. Here’s the proof-of-concept video of iOS Mail bug.